5 files changed, 94 insertions, 19 deletions
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index e91e02d..6572d4c 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -356,6 +356,8 @@ main(int argc, char **argv) {
 		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
 				"If you still wish to use RSA (RSAMD5) please "
 				"specify \"-a RSAMD5\"\n");
+		if (freeit != NULL)
+			free(freeit);
 		return (1);
 	} else {
 		r.base = algname;
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 8af100c..3d22f99 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -526,6 +526,7 @@ main(int argc, char **argv) {
 					"recommended.\nIf you still wish to "
 					"use RSA (RSAMD5) please specify "
 					"\"-a RSAMD5\"\n");
+			INSIST(freeit == NULL);
 			return (1);
 		} else if (strcasecmp(algname, "HMAC-MD5") == 0)
 			alg = DST_ALG_HMACMD5;
@@ -960,8 +961,15 @@ main(int argc, char **argv) {
 				dst_key_settime(key, DST_TIME_INACTIVE,
 						inactive);
 
-			if (setdel)
+			if (setdel) {
+				if (setinact && delete < inactive)
+					fprintf(stderr, "%s: warning: Key is "
+						"scheduled to be deleted "
+						"before it is scheduled to be "
+						"made inactive.\n",
+						program);
 				dst_key_settime(key, DST_TIME_DELETE, delete);
+			}
 		} else {
 			if (setpub || setact || setrev || setinact ||
 			    setdel || unsetpub || unsetact ||
diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c
index 8346f1c..fb116e6 100644
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -20,7 +20,6 @@
 
 #include <config.h>
 
-#include <libgen.h>
 #include <stdlib.h>
 #include <unistd.h>
 
diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index f7f4486..a7fbed3 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2009-2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -20,7 +20,6 @@
 
 #include <config.h>
 
-#include <libgen.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <errno.h>
@@ -140,6 +139,7 @@ main(int argc, char **argv) {
 	int		prepub = -1;
 	isc_stdtime_t	now;
 	isc_stdtime_t	pub = 0, act = 0, rev = 0, inact = 0, del = 0;
+	isc_stdtime_t	prevact = 0, previnact = 0, prevdel = 0;
 	isc_boolean_t	setpub = ISC_FALSE, setact = ISC_FALSE;
 	isc_boolean_t	setrev = ISC_FALSE, setinact = ISC_FALSE;
 	isc_boolean_t	setdel = ISC_FALSE;
@@ -344,7 +344,6 @@ main(int argc, char **argv) {
 
 	if (predecessor != NULL) {
 		char keystr[DST_KEY_FORMATSIZE];
-		isc_stdtime_t when;
 		int major, minor;
 
 		if (prepub == -1)
@@ -376,19 +375,20 @@ main(int argc, char **argv) {
 			fatal("Predecessor has incompatible format "
 			      "version %d.%d\n\t", major, minor);
 
-		result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &when);
+		result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &prevact);
 		if (result != ISC_R_SUCCESS)
 			fatal("Predecessor has no activation date. "
 			      "You must set one before\n\t"
 			      "generating a successor.");
 
-		result = dst_key_gettime(prevkey, DST_TIME_INACTIVE, &act);
+		result = dst_key_gettime(prevkey, DST_TIME_INACTIVE,
+					 &previnact);
 		if (result != ISC_R_SUCCESS)
 			fatal("Predecessor has no inactivation date. "
 			      "You must set one before\n\t"
 			      "generating a successor.");
 
-		pub = act - prepub;
+		pub = prevact - prepub;
 		if (pub < now && prepub != 0)
 			fatal("Predecessor will become inactive before the\n\t"
 			      "prepublication period ends.  Either change "
@@ -396,13 +396,18 @@ main(int argc, char **argv) {
 			      "or use the -i option to set a shorter "
 			      "prepublication interval.");
 
-		result = dst_key_gettime(prevkey, DST_TIME_DELETE, &when);
+		result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel);
 		if (result != ISC_R_SUCCESS)
-			fprintf(stderr, "%s: WARNING: Predecessor has no "
+			fprintf(stderr, "%s: warning: Predecessor has no "
 					"removal date;\n\t"
 					"it will remain in the zone "
 					"indefinitely after rollover.\n",
 					program);
+		else if (prevdel < previnact)
+			fprintf(stderr, "%s: warning: Predecessor is "
+					"scheduled to be deleted\n\t"
+					"before it is scheduled to be "
+					"inactive.\n", program);
 
 		changed = setpub = setact = ISC_TRUE;
 		dst_key_free(&prevkey);
@@ -464,6 +469,20 @@ main(int argc, char **argv) {
 			fatal("Key flags mismatch");
 	}
 
+	prevdel = previnact = 0;
+	if ((setdel && setinact && del < inact) ||
+	    (dst_key_gettime(key, DST_TIME_INACTIVE,
+			     &previnact) == ISC_R_SUCCESS &&
+	     setdel && !setinact && del < previnact) ||
+	    (dst_key_gettime(key, DST_TIME_DELETE,
+			     &prevdel) == ISC_R_SUCCESS &&
+	     setinact && !setdel && prevdel < inact) ||
+	    (!setdel && !setinact && prevdel < previnact))
+		fprintf(stderr, "%s: warning: Key is scheduled to "
+				"be deleted before it is\n\t"
+				"scheduled to be inactive.\n",
+			program);
+
 	if (force)
 		set_keyversion(key);
 	else
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 2376249..86c3aee 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2011  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -646,6 +646,8 @@ hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len)
 	if (l->entries == l->size) {
 		l->size = l->size * 2 + 100;
 		l->hashbuf = realloc(l->hashbuf, l->size * l->length);
+		if (l->hashbuf == NULL)
+			fatal("unable to grow hashlist: out of memory");
 	}
 	memset(l->hashbuf + l->entries * l->length, 0, l->length);
 	memcpy(l->hashbuf + l->entries * l->length, hash, len);
@@ -2027,7 +2029,9 @@ add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) {
  * Remove records of the given type and their signatures.
  */
 static void
-remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
+remove_records(dns_dbnode_t *node, dns_rdatatype_t which,
+	       isc_boolean_t checknsec)
+{
 	isc_result_t result;
 	dns_rdatatype_t type, covers;
 	dns_rdatasetiter_t *rdsiter = NULL;
@@ -2048,10 +2052,12 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
 		covers = rdataset.covers;
 		dns_rdataset_disassociate(&rdataset);
 		if (type == which || covers == which) {
-			if (which == dns_rdatatype_nsec && !update_chain)
+			if (which == dns_rdatatype_nsec &&
+			    checknsec && !update_chain)
 				fatal("Zone contains NSEC records.  Use -u "
 				      "to update to NSEC3.");
-			if (which == dns_rdatatype_nsec3param && !update_chain)
+			if (which == dns_rdatatype_nsec3param &&
+			    checknsec && !update_chain)
 				fatal("Zone contains NSEC3 chains.  Use -u "
 				      "to update to NSEC.");
 			result = dns_db_deleterdataset(gdb, node, gversion,
@@ -2063,6 +2069,39 @@ remove_records(dns_dbnode_t *node, dns_rdatatype_t which) {
 	dns_rdatasetiter_destroy(&rdsiter);
 }
 
+/*
+ * Remove signatures covering the given type (0 == all signatures).
+ */
+static void
+remove_sigs(dns_dbnode_t *node, dns_rdatatype_t which) {
+	isc_result_t result;
+	dns_rdatatype_t type, covers;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter)) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		type = rdataset.type;
+		covers = rdataset.covers;
+		dns_rdataset_disassociate(&rdataset);
+
+		if (type == dns_rdatatype_rrsig &&
+		    (covers == which || which == 0))
+		{
+			result = dns_db_deleterdataset(gdb, node, gversion,
+						       type, covers);
+			check_result(result, "dns_db_deleterdataset()");
+			continue;
+		}
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+}
+
 /*%
  * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records.
  */
@@ -2139,14 +2178,17 @@ nsecify(void) {
 		}
 
 		if (dns_name_equal(name, gorigin))
-			remove_records(node, dns_rdatatype_nsec3param);
+			remove_records(node, dns_rdatatype_nsec3param,
+				       ISC_TRUE);
 
 		if (delegation(name, node, &nsttl)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
+			remove_sigs(node, 0);
 			if (generateds)
 				add_ds(name, node, nsttl);
 		}
+
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
 		while (result == ISC_R_SUCCESS) {
@@ -2164,6 +2206,9 @@ nsecify(void) {
 			    (zonecut != NULL &&
 			     dns_name_issubdomain(nextname, zonecut)))
 			{
+				remove_sigs(nextnode, 0);
+				remove_records(nextnode, dns_rdatatype_nsec,
+					       ISC_FALSE);
 				dns_db_detachnode(gdb, &nextnode);
 				result = dns_dbiterator_next(dbiter);
 				continue;
@@ -2555,7 +2600,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 		}
 
 		if (dns_name_equal(name, gorigin))
-			remove_records(node, dns_rdatatype_nsec);
+			remove_records(node, dns_rdatatype_nsec, ISC_TRUE);
 
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
@@ -2572,6 +2617,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 			if (!dns_name_issubdomain(nextname, gorigin) ||
 			    (zonecut != NULL &&
 			     dns_name_issubdomain(nextname, zonecut))) {
+				remove_sigs(nextnode, 0);
 				dns_db_detachnode(gdb, &nextnode);
 				result = dns_dbiterator_next(dbiter);
 				continue;
@@ -2579,6 +2625,7 @@ nsec3ify(unsigned int hashalg, unsigned int iterations,
 			if (delegation(nextname, nextnode, &nsttl)) {
 				zonecut = dns_fixedname_name(&fzonecut);
 				dns_name_copy(nextname, zonecut, NULL);
+				remove_sigs(nextnode, 0);
 				if (generateds)
 					add_ds(nextname, nextnode, nsttl);
 				if (OPTOUT(nsec3flags) &&
@@ -3011,7 +3058,7 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,
 	dns_rdata_nsec3_t nsec3;
 	dns_fixedname_t fname;
 	dns_name_t *hashname;
-	unsigned char orig_salt[256];
+	unsigned char orig_salt[255];
 	size_t orig_saltlen;
 	dns_hash_t orig_hash;
 	isc_uint16_t orig_iter;